amadey | e5db33a91b7e4fd54196dad1042df50860dc815fdd1fb88a5e093ea2597cb196

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.8MB
MD5

b6041e0fe108db5e8addcf6d6b4da4bf
SHA1

4f6d688e4294362965c5e74999cd6f4c24566956
SHA256

e5db33a91b7e4fd54196dad1042df50860dc815fdd1fb88a5e093ea2597cb196
SHA512

7f64d463e9540a3625b5e68b4afdf4237b0241c144c5fb047d86bfb8491a51f68c34c57566d09b67013b10325a5da0b04664a30539d125ce6b85438846fa1b95
SSDEEP

49152:YjBUKhKl0VrRLsa7d/yVaFHd25wLSEC3ymriMz:Yj/KlYRQa7dyVuw5wLSE6ymriM

Score

10^/10

amadey asyncrat nightingale fed3aa collection credential_access discovery evasion execution persistence rat stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.41

Botnet

fed3aa

http://185.215.113.16

Attributes

install_dir
44111dbc49
install_file
axplong.exe
strings_key
8d0ad6945b1a30a186ec2d30be6db0b5
url_paths
/Jo89Ku7d/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Nightingale stealer
Nightingale stealer is an information stealer written in C#.
stealer nightingale

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	file.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	axplong.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	neon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	neon.exe

Executes dropped EXE 6 IoCs

pid	Process
896	axplong.exe
3860	neon.exe
1684	neon.exe
4864	neon.exe
2828	axplong.exe
3872	axplong.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine	file.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine	axplong.exe

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\neon = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\neon.exe"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2044	file.exe
896	axplong.exe
2828	axplong.exe
3872	axplong.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3860 set thread context of 1760	3860	neon.exe	92
PID 3860 set thread context of 1088	3860	neon.exe	99

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\axplong.job	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axplong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1728	cmd.exe
1484	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1484	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	file.exe
2044	file.exe
896	axplong.exe
896	axplong.exe
3860	neon.exe
3860	neon.exe
3860	neon.exe
3860	neon.exe
1684	neon.exe
4864	neon.exe
4864	neon.exe
4864	neon.exe
3860	neon.exe
3860	neon.exe
2828	axplong.exe
2828	axplong.exe
3860	neon.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe
1088	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	neon.exe
Token: SeDebugPrivilege	1684	neon.exe
Token: SeDebugPrivilege	4864	neon.exe
Token: SeDebugPrivilege	1088	InstallUtil.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2044	file.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 896	2044	file.exe	82
PID 2044 wrote to memory of 896	2044	file.exe	82
PID 2044 wrote to memory of 896	2044	file.exe	82
PID 896 wrote to memory of 3860	896	axplong.exe	83
PID 896 wrote to memory of 3860	896	axplong.exe	83
PID 3860 wrote to memory of 1728	3860	neon.exe	89
PID 3860 wrote to memory of 1728	3860	neon.exe	89
PID 1728 wrote to memory of 1484	1728	cmd.exe	91
PID 1728 wrote to memory of 1484	1728	cmd.exe	91
PID 3860 wrote to memory of 1760	3860	neon.exe	92
PID 3860 wrote to memory of 1760	3860	neon.exe	92
PID 3860 wrote to memory of 1760	3860	neon.exe	92
PID 3860 wrote to memory of 1760	3860	neon.exe	92
PID 3860 wrote to memory of 1760	3860	neon.exe	92
PID 3860 wrote to memory of 1760	3860	neon.exe	92
PID 3860 wrote to memory of 1760	3860	neon.exe	92
PID 1728 wrote to memory of 4144	1728	cmd.exe	95
PID 1728 wrote to memory of 4144	1728	cmd.exe	95
PID 3860 wrote to memory of 1684	3860	neon.exe	98
PID 3860 wrote to memory of 1684	3860	neon.exe	98
PID 3860 wrote to memory of 1684	3860	neon.exe	98
PID 3860 wrote to memory of 1088	3860	neon.exe	99
PID 3860 wrote to memory of 1088	3860	neon.exe	99
PID 3860 wrote to memory of 1088	3860	neon.exe	99
PID 3860 wrote to memory of 1088	3860	neon.exe	99
PID 3860 wrote to memory of 1088	3860	neon.exe	99
PID 3860 wrote to memory of 1088	3860	neon.exe	99
PID 1684 wrote to memory of 4864	1684	neon.exe	100
PID 1684 wrote to memory of 4864	1684	neon.exe	100
PID 1684 wrote to memory of 4864	1684	neon.exe	100
PID 1088 wrote to memory of 4892	1088	InstallUtil.exe	102
PID 1088 wrote to memory of 4892	1088	InstallUtil.exe	102
PID 1088 wrote to memory of 1980	1088	InstallUtil.exe	104
PID 1088 wrote to memory of 1980	1088	InstallUtil.exe	104

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
  "C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe
    "C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1484
    - - C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "neon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\neon.exe"
        5⤵
        Adds Run key to start application
        
        PID:4144
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1760
  - - C:\Users\Admin\AppData\Local\Temp\neon.exe
      "C:\Users\Admin\AppData\Local\Temp\neon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\neon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\neon.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\neon.exe.log

Filesize
1KB

MD5
7dca233df92b3884663fa5a40db8d49c

SHA1
208b8f27b708c4e06ac37f974471cc7b29c29b60

SHA256
90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

SHA512
d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000356001\neon.exe

Filesize
3.5MB

MD5
b3fd0e1003b1cd38402b6d32829f6135

SHA1
c9cedd6322fb83457f56b64b4624b07e2786f702

SHA256
e4a36be98f730d706d2ca97a5d687329a1cc7d4848daf698b7e21b6b9b577f31

SHA512
04692e0f80a75f78b533677cefe3db6607108abf19963d88e231925cfa13f1ec054811aebe53c82d238e732a999cd8d176107d50cf2ea5694d4177cbfd3b30f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\44111dbc49\axplong.exe

Filesize
1.8MB

MD5
b6041e0fe108db5e8addcf6d6b4da4bf

SHA1
4f6d688e4294362965c5e74999cd6f4c24566956

SHA256
e5db33a91b7e4fd54196dad1042df50860dc815fdd1fb88a5e093ea2597cb196

SHA512
7f64d463e9540a3625b5e68b4afdf4237b0241c144c5fb047d86bfb8491a51f68c34c57566d09b67013b10325a5da0b04664a30539d125ce6b85438846fa1b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_panvjlqi.5z5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\neon.exe

Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\neon.txt

Filesize
64B

MD5
d1c60133852a1394257738b427c83d14

SHA1
8246030044c729cc3a255caae907257f3a8c270d

SHA256
5a56d7924876c3f17f5240bb4603e61e7c19aa1b56136dc785f3c29db6bbb046

SHA512
f1a32300f872be2ced6a33b410ff6aebbb005e3dff8bde4827cb0dd07af1d5a68e473bf5e53ee89df381e49bb3f9617cc25846f321b1199f8eff9fe95cc69d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\neon.txt

Filesize
67B

MD5
cb215c1c88377118e8eaaca9de7fac16

SHA1
4dd06100e120b21a6c09c06c4a8ceb881f14bc25

SHA256
ed41ac13315e9eaa811f8564e9ecaaad92c01eba56bd74ef63f60468bd4e3579

SHA512
41741c32ab652fdca3dfb657b0f87654130bdecccadcc5eb55129d8b5fd1b2f0f61e76de9527acdbfda7d7a34dd3dddb2e62fbbbc37cff31f4cb303ac5b9b385

Download Submit
memory/896-44-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/896-18-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/896-22-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/896-20-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/896-19-0x0000000000641000-0x000000000066F000-memory.dmp

Filesize
184KB

Download
memory/896-92-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/896-43-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/896-21-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/896-45-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/1088-508-0x000001208F3E0000-0x000001208F420000-memory.dmp

Filesize
256KB

Download
memory/1088-509-0x00000120A8290000-0x00000120A82AE000-memory.dmp

Filesize
120KB

Download
memory/1088-507-0x00000120A82F0000-0x00000120A8366000-memory.dmp

Filesize
472KB

Download
memory/1088-442-0x0000000040000000-0x0000000040030000-memory.dmp

Filesize
192KB

Download
memory/1088-443-0x000001208DB00000-0x000001208DB2C000-memory.dmp

Filesize
176KB

Download
memory/1684-239-0x0000000000940000-0x000000000095A000-memory.dmp

Filesize
104KB

Download
memory/1684-240-0x00000000052E0000-0x000000000537C000-memory.dmp

Filesize
624KB

Download
memory/2044-2-0x0000000000491000-0x00000000004BF000-memory.dmp

Filesize
184KB

Download
memory/2044-4-0x0000000000490000-0x000000000093C000-memory.dmp

Filesize
4.7MB

Download
memory/2044-3-0x0000000000490000-0x000000000093C000-memory.dmp

Filesize
4.7MB

Download
memory/2044-0-0x0000000000490000-0x000000000093C000-memory.dmp

Filesize
4.7MB

Download
memory/2044-1-0x00000000776F4000-0x00000000776F6000-memory.dmp

Filesize
8KB

Download
memory/2044-17-0x0000000000490000-0x000000000093C000-memory.dmp

Filesize
4.7MB

Download
memory/2828-251-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/2828-253-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/3860-90-0x00000000262F0000-0x00000000262F8000-memory.dmp

Filesize
32KB

Download
memory/3860-62-0x0000000003630000-0x0000000003646000-memory.dmp

Filesize
88KB

Download
memory/3860-73-0x000000001FF40000-0x000000001FFDE000-memory.dmp

Filesize
632KB

Download
memory/3860-74-0x00000000200C0000-0x000000002020E000-memory.dmp

Filesize
1.3MB

Download
memory/3860-72-0x000000001FEB0000-0x000000001FF33000-memory.dmp

Filesize
524KB

Download
memory/3860-71-0x000000001FB50000-0x000000001FEA5000-memory.dmp

Filesize
3.3MB

Download
memory/3860-75-0x0000000022F00000-0x000000002363F000-memory.dmp

Filesize
7.2MB

Download
memory/3860-64-0x0000000003710000-0x0000000003732000-memory.dmp

Filesize
136KB

Download
memory/3860-87-0x0000000025200000-0x0000000025315000-memory.dmp

Filesize
1.1MB

Download
memory/3860-66-0x0000000003770000-0x000000000387B000-memory.dmp

Filesize
1.0MB

Download
memory/3860-89-0x00000000253F0000-0x0000000025673000-memory.dmp

Filesize
2.5MB

Download
memory/3860-88-0x0000000025320000-0x00000000253ED000-memory.dmp

Filesize
820KB

Download
memory/3860-91-0x0000000026350000-0x0000000026504000-memory.dmp

Filesize
1.7MB

Download
memory/3860-86-0x0000000024C50000-0x0000000024DF9000-memory.dmp

Filesize
1.7MB

Download
memory/3860-85-0x00000000249C0000-0x0000000024A70000-memory.dmp

Filesize
704KB

Download
memory/3860-76-0x0000000023640000-0x0000000023DD0000-memory.dmp

Filesize
7.6MB

Download
memory/3860-84-0x0000000023EE0000-0x0000000023EF9000-memory.dmp

Filesize
100KB

Download
memory/3860-83-0x0000000023ED0000-0x0000000023EDC000-memory.dmp

Filesize
48KB

Download
memory/3860-82-0x0000000023E90000-0x0000000023EC4000-memory.dmp

Filesize
208KB

Download
memory/3860-81-0x0000000023DD0000-0x0000000023DE8000-memory.dmp

Filesize
96KB

Download
memory/3860-80-0x0000000022EC0000-0x0000000022EE7000-memory.dmp

Filesize
156KB

Download
memory/3860-79-0x0000000022EA0000-0x0000000022EBF000-memory.dmp

Filesize
124KB

Download
memory/3860-78-0x0000000022DF0000-0x0000000022E9D000-memory.dmp

Filesize
692KB

Download
memory/3860-77-0x0000000020080000-0x00000000200AC000-memory.dmp

Filesize
176KB

Download
memory/3860-63-0x0000000003650000-0x000000000370D000-memory.dmp

Filesize
756KB

Download
memory/3860-65-0x0000000003740000-0x000000000376B000-memory.dmp

Filesize
172KB

Download
memory/3860-61-0x0000000003080000-0x0000000003221000-memory.dmp

Filesize
1.6MB

Download
memory/3860-67-0x0000000003880000-0x000000000391D000-memory.dmp

Filesize
628KB

Download
memory/3860-54-0x00000000022C0000-0x000000000235B000-memory.dmp

Filesize
620KB

Download
memory/3860-53-0x0000000001D80000-0x0000000001E1E000-memory.dmp

Filesize
632KB

Download
memory/3860-52-0x0000000001CD0000-0x0000000001D7C000-memory.dmp

Filesize
688KB

Download
memory/3860-70-0x00000000054D0000-0x00000000055FA000-memory.dmp

Filesize
1.2MB

Download
memory/3860-60-0x0000000002540000-0x0000000003001000-memory.dmp

Filesize
10.8MB

Download
memory/3860-69-0x0000000003C30000-0x0000000003C60000-memory.dmp

Filesize
192KB

Download
memory/3860-68-0x0000000003920000-0x0000000003A20000-memory.dmp

Filesize
1024KB

Download
memory/3860-55-0x0000000002360000-0x000000000248A000-memory.dmp

Filesize
1.2MB

Download
memory/3860-56-0x0000000002490000-0x000000000253A000-memory.dmp

Filesize
680KB

Download
memory/3860-57-0x0000000002220000-0x0000000002275000-memory.dmp

Filesize
340KB

Download
memory/3860-58-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/3860-59-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/3860-50-0x0000000001810000-0x0000000001AD9000-memory.dmp

Filesize
2.8MB

Download
memory/3860-51-0x0000000001C40000-0x0000000001CD0000-memory.dmp

Filesize
576KB

Download
memory/3860-49-0x0000000001750000-0x000000000180E000-memory.dmp

Filesize
760KB

Download
memory/3860-48-0x0000000000E00000-0x0000000000E65000-memory.dmp

Filesize
404KB

Download
memory/3860-47-0x0000000026EB0000-0x0000000026EB6000-memory.dmp

Filesize
24KB

Download
memory/3860-46-0x0000000026E90000-0x0000000026EAA000-memory.dmp

Filesize
104KB

Download
memory/3860-41-0x0000000000ED0000-0x000000000124C000-memory.dmp

Filesize
3.5MB

Download
memory/3860-42-0x0000000023F00000-0x0000000023F9E000-memory.dmp

Filesize
632KB

Download
memory/3872-662-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/3872-664-0x0000000000640000-0x0000000000AEC000-memory.dmp

Filesize
4.7MB

Download
memory/4892-515-0x000001AA54310000-0x000001AA54332000-memory.dmp

Filesize
136KB

Download